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FORMAL METHODS FOR MODELING AND 
ANALYSIS OF HYBRID SYSTEMS 

RELATED APPLICATIONS 

This Application is related to and claims priority from 
provisional application 60/446,964, filed Feb. 11, 2003, the 
entirety of which is incorporated by this reference. 

GOVERNMENT FUNDING 

This application was made in part with government support 
under contract number NAS 1 -00108 awarded by NASA; this 
application was also made in part with government support 
under contract numbers F33615-00-C-3043 and F33615- 
00C-1700 both awarded by the United States Air Force 
Research Office and the Defense Advanced Research Project 
Agency. The Government has certain rights in this invention. 

FIELD OF USE 

The field of use of the invention is data abstraction, and 
more particularly data abstraction of hybrid systems. 

BACKGROUND 

Standard methods for the analysis of hybrid systems rely 
on numerical techniques for solving the differential equations 
and can be unsound on certain classes of hybrid systems. 
These techniques are susceptible to dimension explosion 
problems as the number of state variables increases. What has 
been sought is an approach that is both capable of generating 
sound abstractions and capable of being compositionally 
applied. 

The application of modeling tools to hybrid qualitative and 
quantitative systems, including, in particular biological sys- 
tems, poses significant challenges. A means of providing 
analytical proofs of the unreachability of certain states, as 
well as stability and bistability properties of complex systems 
is sought. This capability is outside the reach of traditional 
modeling for analysis methods. 

Further, what is needed is the ability to reason in an auto- 
mated or semi-automated manner about biological systems to 
answer complex questions about the biological relevance of 
complicated molecular or intercellular signaling or other bio- 
chemical reaction networks. 

SUMMARY OF THE INVENTION 
A. Hybrid Modeling 

The invention provides for the generation of sound abstrac- 
tions in every case, and an algorithm according to the inven- 
tion may be compositionally applied. 

HybridAbstraction, the invention taught herein, provides 
the construction of a series of successively refined, sound 
abstractions of a hybrid system. The resulting abstracted sys- 
tem is a finite “discrete state transition system” suitable for 
model checking. 

Hybrid systems exhibit both continuous and discrete 
dynamics. The core algorithm of HybridAbstraction com- 
bines qualitative techniques for abstracting the continuous 
dynamics with predicate abstraction techniques for abstract- 
ing the discrete transitions. 

Qualitative abstraction consists of keeping only the “sign” 
information of a finite set of functions or forms over the state 
variables of the system while ignoring the exact valuations of 
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the state variables. The sign information is updated by recur- 
sively keeping track of the signs of the ffinctions representing 
the derivative of the original functions. 

HybridAbstraction Includes: 

1 . Selecting the seed forms (a set of polynomials); 

2. Adding higher order derivatives (or integrals) of the seed 
forms, using symbolic differentiation (or integration) algo- 
rithms; 

3. Constructing the abstract system over the abstract state 
space defined by the 3-valued (i.e. positive, negative, zero) 
valuation of each of the forms generated by steps 1 and 2 
hereinabove. Automation of steps 1, 2 and 3 is accomplished 
by means of decision procedures, symbolic analysis, and 
theorem proving. 

In step 1, certain functions can be selected as the seed 
forms. The choice of good seed forms results in better abstrac- 
tions. This observation is valid for both linear and nonlinear 
dynamics and all kinds of functions (not necessarily polyno- 
mial). 

20 : 

Different sets of seed forms can be chosen for different 
discrete modes of a hybrid system. In particular, the algorithm 
described above can be applied compositionally. It can 
exploit the two kinds of compositions observed in hybrid 
systems: 

i) A hybrid system is a composition of synchronously 
executing hybrid automata; 

ii) Each hybrid automation itself is a composition of syn- 
chronously executing, continuous dynamical systems. 

Thus, not all seed forms are saturated under all continuous 
dynamics in step 2. 

Step 3 of the algorithm preferentially uses fault tolerant 
theorem proving. Sound procedures (even if incomplete) can 
be used to construct sound abstractions. In the case where all 
35 the seed forms are polynomials and the continuous dynamics 
are specified using polynomial expressions, then the theorem 
proving support required to automate the HybridAbstraction 
algorithm is the quantifier- free theory of reals, which is decid- 
able. The HybridAbstraction algorithm can be applied on 
other, non-polynomial systems, and on more general seed 
forms. 

B. Biological Systems as Hybrid Models 

The inventive method, herein referred to as HybridAb- 
straction, provides abstraction of a continuous or hybrid 
45 model of a biological system to a finite, discrete model. Sub- 
jecting the resulting model to discrete reasoning tools and 
decision procedures enables a desired output. One manner of 
performing HybridAbstraction includes application of the 
SAL toolkit (SAL: “Symbolic Analysis Laboratory”, an SRI 
50 International developed language and toolset for describing 
and analyzing state transition systems). 

Biological systems are described in terms of qualitative or 
hybrid (qualitative-quantitative) systems. For example, cer- 
tain phenomena may be described in terms of discrete, non- 
55 analogue states: genes are switched on or off; enzymes are 
active or inactive; protein complex formation is favored or 
disfavored relative to environmental factors; introns are in or 
cut out of RNA gene products. 

Describing these sorts of biological systems as qualita- 
60 tively “on/off’ fundamentally ignores the multiple modalities 
of the underlying physical processes — processes which are 
not simply “on” or “off’. Practicing biologists are aware of 
the hybrid nature of the biological systems. 

Computational approaches to biological systems, however, 
65 employ strictly quantitative reasoning, where all phenomena 
are described with exact differential equations describing 
concentrations of various substances. 
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The novel HybridAbstraction approach taught herein rec- 
onciles the strictly quantitative approach of computational 
system biology with the qualitative and qualitative/quantita- 
tive reasoning brought to bear by the modem practicing biolo- 
gist. The inventive approach further enables analysis of a 
system in which many parameters are unknown. 

The HybridAbstraction approach includes: a) Describing a 
biological system in both qualitative and quantitative terms. 
For example, a gene may be “on” or “off*, yet metabolic 
enzyme reactions may be best described as continuous dif- 
ferential equations, b) Formally describing the property of 
interest: using descriptions of the property from decidable 
theories in the system and the property, enabling completely 
automatic reasoning; c) Carving up infinite possible state 
space into regions which are not differentiated by the prop- 
erty; d) Applying discrete system analysis tool: including, but 
not limited to, bounded model checkers, symbolic model 
checkers, explicit-state model checkers, SAT solvers, term 
rewriting systems, Knuth-Bendix completion tools, and/or 
other system analysis tools such as infinite bounded model 
checking, arithmetic decision procedures, and decision pro- 
cedures for combined theories; e) Concretizing the result of 
the application of the discrete system analysis tool to biologi- 
cal system of interest; f) Repeat. The result may further feed 
the analysis. For example, if a counterexample to the property 
is found, then the approach includes concretizing the coun- 
terexample trajectory back into the continuous domain, as 
well as providing output or display to the investigator. 

HybridAbstraction can both suggest and verify properties 
of biological subsystems to enable modular reasoning about 
such subsystems. For example, biology includes many sig- 
naling motifs, and many instances of each motif. HybridAb- 
straction is useful in reasoning about a bistable switch motif, 
or an oscillator motif, and may enable reasoning about larger 
biological networks and systems. HybridAbstraction also 
enables reasoning about potential effects of perturbations to 
the biological system under investigation. One example of 
this is gene knock-outs or knock-ins, as well as environmental 
or drug interaction effects. 

C. Chemical Plant Control 

HybridAbstraction also provides for modeling chemical 
processes in petrochemical and other industrial settings. 
More exact (and provably sound) methods for control of such 
systems can lead to more optimized performance and produc- 
tivity. In particular, certain aspects of the chemical reactions 
underlying industrial processes are known (such as the bal- 
anced chemical equations involved), whereas other aspects, 
such as the dependence of the rate of reaction on continuous 
variables such as pressure and temperature and partial pres- 
sures or concentrations of reactants, products, and various 
poisons. Seed polynomials can be derived from the known 
aspects of the system, and the property of interest (such as 
stability, or optimized generation of target products) formally 
stated. The present invention provides human designers a 
better understanding of petrochemical plant operations and 
status, as well as tools to diagnose anomalous behavior, 
thereby producing safer and more efficient methods for 
chemical plant control. 

D. Nano scale Computer Architectures 

It is possible to fabricate nanoscale electrical components 
just a few nanometers in their smallest dimension. For 
example, silicon nanowires and carbon nanotubes a few 
atoms (~1 nm) in diameter have been grown in laboratories. 
Also, single-molecule devices have been fabricated and 
shown to exhibit diode rectification, negative differential 
resistance, field-effect gating, and nonvolatile switchable 
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behaviors. Unfortunately, all known nanoscale assembly 
techniques suffer from high degrees of uncertainty in place- 
ment: the individual components may be well characterized, 
but where the components end up is at least somewhat uncer- 
5 tain. Top-down assembly techniques such as photolithogra- 
phy do not provide the reliable placement of nanometer-scale 
devices in intentionally designed nano scale patterns. 

D.l Nanoscale Crossbar 

In the particular case of a nanoscale crossbar, which could 
be used as a digital memory device, or as a PLA-style con- 
troller implementing digital logic, a large Cartesian grid of 
nanoscale wires are formed, perhaps 100 by 1 00 up to several 
thousand by several thousand. The vertical wires and hori- 
zontal wires may thus cross at between ten thousand and 
many millions of points. Each crosspoint, however, may only 
cover an area of several square nanometers (say, 2 nm by 2 
nm). In this area may be placed nonvolatile single-molecule 
nanoscale switches, or the horizontal and/or vertical wires 
may be assembled with nanoscale FLASH-memory-like 
floating conductive regions. In any case, each crosspoint is 
capable of storing approximately one bit of information, 
where reading and writing that information is performed 
through precise control of the electrical potential on the hori- 
zontal and vertical wires. 

25 

Unfortunately, the complete lack of top-down nanoscale 
assembly techniques, and the uncertainty of bottom-up 
(chemical) assembly techniques makes it very difficult to 
predict what the exact electrical characteristics of each switch 
point might be. Exacerbating the problem are the numbers of 
switches in electrical contact with each nanowire: uncertainty 
can thus be compounded a thousand fold. 

HybridAbstraction can be advantageously used to perform 
model-based discovery and configuration of nano scale com- 
35 puter architectures assembled from nanoscale components. A 
nanoscale crossbar may be assembled with a high degree of 
uncertainty in molecular placement at the crosspoints; 
HybridAbstraction techniques can be used to refine a model 
of the crosspoint, and thus to enable the reliable use of the 
crosspoint to store information. For example, the threshold 
voltage and current which causes reliable switching of non- 
volatile switches, and the threshold voltage and current which 
enables reliable reading of the stored information may not be 
consistent between crosspoints. HybridAbstraction may be 

used to discover a model of such a crossbar and to enable the 
45 

use of that model to configure the nano scale device. Many 
nanoscale assembly techniques exist to burn-in or perma- 
nently or semi -permanently adjust configuration bits. After a 
reliable model of a nanoscale memory device is constructed 
through HybridAbstraction, an automatic system may set 
these configuration bits to maximize the utility of the device 
as a digital memory or controller. Thus HybridAbstraction is 
useful as a configuration tool, perhaps only once after the 
nanodevice is first manufactured, or perhaps periodically, as 
the device behavior changes due to random faults or environ- 
mental stresses. 

D.2 Nanocell 

Taking seriously the lack of determined top-down assem- 
bly, researchers have developed the concept of a program- 
60 mable nanocell, which welcomes the uncertainty of initial 
fabrication, and exploits the reconfigurability aspects of some 
nanoscale devices in order to construct some digital device of 
interest. In particular, the nanocell concept contemplates a 
rectangular well, bordered by between two to several hundred 
65 CMOS-lithographic-scale leads, containing tens to hundreds 
of nanoparticles, randomly bridged by connections often con- 
taining nonvolatile switchable molecules. Each nanocell can 
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be viewed as a nanoscale plant, where the connections and the 
state of those connections must be modeled accurately 
enough to enable configuring internal connections into a state 
where the nanocell behaves as some target device of interest 
(e.g. an adder). The HybridAbstraction can be used to create 
the necessary model, and seed forms chosen based on the 
electrical probes attached to the outside of the nanocell well. 

D. 3 Nano scale “Trim Bits” Help Push CMOS Limits 

As “standard” photolithographic CMOS assembly tech- 
niques are pushed to smaller and smaller scales, uncertainty 
in device performance leads to suboptimal settings of power 
and clock frequency. HybridAbstraction can be used to deter- 
mine “trim bits” which might be implemented with nanotech- 
nology nonvolatile switches, placed very near CMOS devices 
of interest. For example, the tolerances of photolithographic 
manufacture of a CMOS transistor may not be sufficient to 
accurately control its threshold voltage, but bottom-up-as- 
sembled nanoscale switches sprayed on top of the entire 
CMOS circuit may be selectively switched to bring the 
CMOS transistors back within design tolerances. These “trim 
bits” must be set based on hybrid models of the underlying 
CMOS devices, and HybridAbstraction may be used to build 
such models. 

E. Molecular Modeling 

HybridAbstraction can also be used to model the hybrid 
continuous and discrete behaviors of electrons in small mol- 
ecules, and the physical reshaping of molecules such as pro- 
tein, RNA, and DNA. 

E.l Small Molecule Electrical Characteristics 

The precise electrical characteristics of small molecules 
can be determined experimentally only at very great cost and 
effort using such techniques as break junctions (where a metal 
wire is drawn as thin as possible, and then intentionally bro- 
ken, then a molecule of interest is allowed to assemble bridg- 
ing that break) and electrically instrumented atomic force 
microscopes. The computer modeling of electrical properties 
of small molecules proceeds today with large numerical 
simulations. HybridAbstraction could be used to model the 
discrete and continuous aspects of such systems, and to pre- 
dict properties of interest. 

For example, molecules such as 2,5 diethynylphenyl-4- 
nitroaniline or 2,5-diethynylphenylnitrobenzene have been 
shown to exhibit very strong negative differential resistance, 
the unusual property where the resistance falls as voltage is 
increased. These devices also exhibit switchable states that 
are retained for long periods of time. These properties can be 
exploited to create nanoscale computer memories and logic 
devices. However, the computer modeling of such properties 
is very difficult and prone to error. Rare examples of qualita- 
tive confirmation of computer predictions are far outweighed 
by incorrect predictions. 

HybridAbstraction can be used to model the differential 
equations governing the movement of electrons around a 
molecule, and associated physical conformation changes. 
Classic modeling of molecular systems uses finite element 
methods and is subject to numerical instability and impreci- 
sion. HybridAbstraction can be driven from a given abstract 
property of interest (ex. electrical conductivity) and an under- 
lying model the governing differential equations, to build an 
abstract model of the molecule sufficient to address the prop- 
erty of interest. 

E.2 Protein Folding 

HybridAbstraction techniques can also be applied to help 
understand the energetically favored physical conformation 
of large molecules, and the shape of the electrical potential 
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around them. Proteins are assembled as sequences of amino 
acid residues based on mRNA templates. Once assembled, 
proteins fold into their energetically favored conformation. In 
some cases, proteins are folded further by other proteins, 
5 and/or subsequently modified post-translation, and/or acti- 
vated or deactivated (e.g., by phosphorylation). The compu- 
tational prediction of protein folding is a major challenge. 

HybridAbstraction can be used to build models of large 
protein molecules, and of their external electrical potential, 
to The differential equations governing the interaction between 
the amino acid residues, and between the folded protein and a 
given small molecule can be abstracted into simplified form 
by HybridAbstraction to enable efficient computational pre- 
dictions of physical properties of those proteins, and the 
15 binding of proteins together, and the binding or docking of 
small molecules with proteins. For example, predicting the 
behavior of g-protein-coupled receptor proteins is very diffi- 
cult, because they repeatedly penetrate the cell wall. Hybrid- 
Abstraction can be used to build a simplified model of a 
20 bilipid layer (perhaps as a 2 -d fluid), surrounding aqueous 
envelope, and aspects of the protein conformation can be 
predicted. Conformation change of g-protein-coupled recep- 
tors upon signaling molecule docking can be predicted in a 
similar fashion. 

25 HybridAbstraction can be applied to other long polymers 
such as RNA and DNA. The folding of RNA and the excision 
of introns from RNA sequences can be addressed with 
HybridAbstraction. The binding of proteins to DNA, and the 
remodeling of chromatin- DNA complexes can also be mod- 
30 eled with HybridAbstraction techniques. 

F. Monitoring and Diagnosis 

Abstract models constructed by HybridAbstraction can be 
used for a variety of applications. Firstly, they can be used to 
35 analyze the behavior of the original model. Since the abstract 
models are discrete and finite-state, formal verification 
approaches developed for analysis of discrete-state transition 
systems can be used for their analysis. Secondly, HybridAb- 
straction can also be used in monitoring and diagnosis of 
40 systems, as well as for model validation on such systems. 
HybridAbstraction can be used to perform model-based 
monitoring and diagnosis of complex systems that admit 
hybrid models. For this application, given a hybrid model of 
the plant and controller, HybridAbstraction is used to create 
45 an abstraction by picking the seed forms based on the sensors 
that are attached to the plant. This abstraction is computed 
offline. Now, a monitoring and diagnosis system is built by 
using the sensor readings generated by the system at runtime 
to make transitions on the abstract model. A fault is detected 
50 whenever the monitoring system finds an inconsistency 
between the actual sensor readings generated by the real 
system and the possible transitions on the abstraction. Diag- 
nostic information can then be generated by retracing the path 
on the abstract system. 

55 HybridAbstraction can be used for model validation if the 
monitoring process described above is moved up in the design 
cycle for development of the system. More specifically, a 
monitor, based on an abstraction, is built for the plant model 
and the actual plant is monitored against this abstract model 
60 as described above. Any discrepancies between the actual 
plant model and the abstract plant model points to inaccura- 
cies in the model. Thus, the model of the plant can be refined 
and validated using this approach. The design of embedded 
software, such as controllers, for the plant, is then done over 
65 the validated plant model. The crucial aspect of HybridAb- 
straction as used in these two applications is the fact that the 
abstract models are much simpler compared to the original 
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models and, hence, they can be executed along with the actual 
plant (or the actual plant and the controller) in real time. 

G. Controller Synthesis 

HybridAbstraction provides alternative technology for 
synthesizing controllers for hybrid plant models. The discrete 
transition system abstract system generated by HybridAb- 
straction is amenable to both forward and backward search. 
Hence, controllers that guarantee desired behavior of the 
abstract plant model can be synthesized using the standard 
search based techniques. Controllers synthesized for the 
abstract models are safe for the actual plant model due to the 
soundness guarantees provided by the technique. 

H. Hybrid Automata 

Hybrid systems are modeled as a composition of finitely 15 
many hybrid automata. Each hybrid automata is represented 
in one of two ways: 

Standard hybrid automata: A hybrid automata is specified 
as a finite state automata with continuous dynamics 
given inside each state (using differential equations). 20 

Inside-out hybrid automata: A hybrid automata is specified 
using a single specification of the continuous dynamics 
and complex (If-then-else) expressions for specifying 
mode changes (that is, updates to continuous and dis- 
crete variables). 25 

A combination of these two representations can also be 
used for representation of hybrid systems. All these styles of 
specification of hybrid automata and hybrid systems are inter- 
translatable, but the translated automata are generally too 
large to be amenable to analysis. The HybridAbstraction 30 
technique can construct abstractions directly from these rep- 
resentations, avoiding the translation problems. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 

FIG. 1 is illustrative of the use of HybridAbstraction within 
an analysis framework. 

FIG. 2 depicts an abstract thermostat system produced 
according to the invention. 

FIG. 3 depicts results of HybridAbstraction applied to a 40 
biological system. 

FIG. 4 relates to biological system modeling. 

FIG. 5 relates to biological system modeling. 

DETAILED DESCRIPTION OF THE INVENTION 45 
Introduction 

Hybrid systems describe a wide class of systems that 
exhibit both discrete and continuous behaviors, such as a 50 
digital system embedded in an analog environment. Since 
hybrid systems frequently operate in safety -critical domains, 
for example, inside automobiles, aircrafts, and chemical 
plants, analysis techniques are needed to support the design 
proces s of embedded software for controlling hybrid systems . 55 

The development of tools and analysis techniques for 
hybrid systems faces two challenges. It has been shown that 
checking reachability for very simple class of hybrid systems 
is undecidable. Several decidable classes have been identi- 
fied, but all of these classes are too weak to represent hybrid 60 
system models that arise in practical applications. In fact, the 
models of the physical environment in real world scenarios 
are usually too large and complicated even for analysis tools 
built on semi-decision procedures and other currently avail- 
able technologies. 65 

Abstraction is a technique to reduce the complexity of a 
system design, while preserving some of its relevant behav- 
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ior, so that the simplified system is more accessible to analysis 
tools and is still sufficient to establish certain safety properties 
(those properties that are true of all states). Two powerful 
abstraction techniques, called predicate abstraction and data 
abstraction respectively, have been used quite successfully in 
analyzing discrete transition systems. The invention includes 
a very simple, yet quite effective, technique based on data 
abstraction, to construct a series of successively finer abstrac- 
tions of a given hybrid system. 

Hybrid automata are mathematical models for representing 
hybrid systems. In contrast to discrete transition systems, 
hybrid automata can make both discrete and continuous tran- 
sitions and hence, their semantics are given in terms of the 
states, which are uncountably many, reached over a continu- 
ous real time interval. However, the theory of hybrid automata 
can be given in terms of infinite-state transition systems that 
contain uncountably many states, but are interpreted over 
discrete time steps. In HybridAbstraction, the uncountable 
state space is mapped into a finite state space by the inventive 
abstraction function. More specifically, the n-dimensional 

real space M." is partitioned into zones that are sign-invariant 
for all polynomials in some finite set. Increasing the number 
of polynomials in the set results in finer abstractions. 

Significantly, HybridAbstraction extends known qualita- 
tive techniques in at least two ways. First, the evolution of 
arbitrary polynomials (over the state variables) is tracked, and 
not just the state variables, while constructing an abstraction. 
Second, whereas qualitative reasoning usually uses the sign 
of only the first derivative, the invention uses the signs of first 
n th derivatives. These two non-trivial extensions make 
HybridAbstraction substantially more powerful. 

HybridAbstraction as illustrated in FIG. 1 provides for the 
construction of a series of finer abstractions, enabling an 
iterative methodology to prove a safety property. Starting 
with a description of a hybrid system 20 and a property of 
interest 10, HybridAbstraction 30 creates a first (relatively 
crude) abstraction 40 (also known as a discrete approxima- 
tion). A formal methods tool 50 then checks whether the 
property of interest 10 holds for this abstract system 40. This 
is represented as a true or false result 60, optionally including 
a counter example for falsehoods and a proof for truths. If the 
property of interest 10 is false, the invention provides for the 
creation of a finer abstraction by an iterative analysis 70 and 
for checking the property again by formal methods tool 50. 
This iterative analysis 70 can be repeated until the property is 
either established or no further refinements of the system can 
be constructed. Because the resulting abstractions 40 are dis- 
crete transition systems, techniques such as model checking 
can be used as formal methods tool 50. Furthermore, Hybrid- 
Abstraction is different from many other approaches to 
hybrid system analysis in that it does not use any numerical 
methods and techniques. 

The process of construction of the abstract system requires 
logical reasoning in the theory of reals. The first-order theory 
of real closed fields is known to be decidable. In HybridAb- 
straction, the first-order theory of reals is used to represent 
sets of continuous states; HybridAbstraction then uses rea- 
soning over the first order theory of reals for creating abstract 
transition systems. 

Preliminaries 

The signature of the first-order theory of reals consists of 

function symbols {+,-,*}, constants M, and predicate symbols 
{=, >, <, =}. In this theory, the set of terms over a set X of 

variables corresponds to the set of polynomials M[X] . The set 
ATM(X), defined as {p~0: pe M[X] and ~e{=, >, <, =}}, is 
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the set of all atomic formulas. The set WFF(X) of first-order 
formulas (over X) is defined as the smallest set containing 
ATM(X) and closed under the boolean operations (conjunc- 
tion a, disjunction v, implication => and negation -l ) and 
quantification (existential 3 and universal V ). The first-order 5 

theory of reals, also denoted by M, is defined as the set of all 
first-order formulas over the above signature (and a countable 
set of variables) that are true over the real numbers. The 

notation is used to denote the fact that the (first-order) 
formula (|) is true in the theory of reals. The first-order theory 
of the real closed fields is a complete theory, i.e., every sen- 
tence in WFF(X) is either true or its negation is true in this 
theory, and the theory is known to be decidable. 

Formulas in WFF(X) are denoted by (|), if , possibly with 15 

subscripts, and use p to denote polynomials in the set R[X] . A 
polynomial p occurs in a formula (|) if there is an atomic 
formula p~0 in (f. The rest of the notation follows the standard 
practice in hybrid systems literature. 

20 

Continuous Dynamical Systems 

For simplicity, hybrid systems with no discrete compo- 
nents are considered in this section, that is, hybrid systems 
with exactly one mode of operation. A continuous dynamical 
system CS is a tuple (X, Init, Inv, f) where X is a finite set of 2 s 

variables interpreted over the reals M, X= M A is the set of all 
valuations of the variables X Init ^X is the set of initial states, 

Inv ^X is the invariant set of states, and f: X • — *TX is a vector 
field that specifies the continuous dynamics. Here TX denotes 
the tangent space of X. Assume that f satisfies the standard 30 
assumptions for existence and uniqueness of solutions to 
ordinary differential equations. The continuous dynamical 
systems considered here are autonomous: they have no 
inputs. 

The semantics, ICSl, of a continuous dynamical system 35 

CS=(X Init, Inv, f) over an interval I=[x a ,x z ] is a collection 
of mappings a: I ^X satisfying 

(a) initial condition: cr(x jelnit, 

(b) continuous evolution: for all xe(x^,x z ), cr(x)=f(cr(x)), and 40 

(c) invariant: for all x€[x^,xj, a(x)€lnv. 

In case the interval I is left unspecified, it is assumed to be the 
interval [ 0 , oo). 

Assume that the flow derivative, f, is specified using poly- 45 
nomial expressions over the state variables X, that is 

fe(M[X]) A , where M[X] denotes the set of polynomials over 

the indeterminates X and coefficients in M, and IXI denotes 
the cardinality of X. These polynomials can be nonlinear in 5Q 
general. 


EXAMPLE 1 

The actuator module in a simple electronic throttle control 55 
system is driven by a pulse-width modulated signal and can 
be described as a hybrid system with two modes: 

when the input signal is high, the system is in the “on” mode 
and is described by 

J 60 


2000 


-(24 -2V-I) 


. 1000 

/ = -^-( 120 - 22 /) 


65 

and when the input is low, the system is in “off’ mode and 
is described by 


. -2000 . 2000 
V = —3~ I I = -g-(5V-m 


In each mode, therefore, the actuator behaves as a continuous 
dynamical system with two continuous variables V and I. 

Discrete Transition Systems 

A discrete state transition system DS is a tuple (Q, Init, t) 
where Q is a finite set of variables interpreted over countable 
domains, Q denotes the (countable) set of all valuations of the 
variables Q over the respective domains, InitRJ is a set of 
initial states, and t ^QxQ is a set of transitions. The semantics, 

IDS 1, of a discrete state transition system DS=(Q, Init, t) is the 
collection of all mappings 0 : N l->Q satisfying 

(a) initial condition: 0(O)€lnit, and 

(b) discrete evolution: for all ieN, (0(i), 0 (i+l))€t. 

In order to define a notion of abstraction precisely, it is 
necessary to establish a correspondence between dis- 
crete evolutions 0 : NH »q and continuous evolutions a: 
[0, 00 ) H^Q. This is done using discrete sampling. 

Definition 1 . A discrete evolution 0: NH >Q is a sufficiently 
complete dis-cretization of a continuous evolution a: 
[0, 00 ) F-»Q if there exists a strictly increasing sequence 

Nxo,x 1 ? x 2 ... ) of reals in the interval [ 0 , 00 ) such that 

(i) T o =0, 

(ii) the function a does not change on the domain (x z , x z+1 ), 
that is, a a(x)=a(x') for all x, x'€(x, x z+1 ), and 

(iii) for all i, 0 ( 2 i)=cr(x z ) and 0 ( 2 i+l)=cr(x), where 
X,<X<X, + 1. 

Intuitively, a sufficiently complete discretization captures 
all the “different” (abstract) states in the given continuous 
evolution. 

Definition 2. Let CS=(X, Init, Inv, f) be a continuous 
dynamical system and DS=(Q, InitQ, t) be a discrete transi- 
tion system. DS is an abstraction for CS if there exists a 
mapping abs: X H*Q such that 

(a) abs (InitX) ^InitQ, and 

(b) for every a aelCSl, if o' is a sufficiently complete 
discretization of abs(a), then cr'elDSl. 

Here, abs is used to also denote lifting of the function abs to 
sets and functions. Thus, abs (InitX)={abs(x): xelnitX}. 
Similarly, if a: [0, 00 ) l->X, then (abs(a))(x)=abs(a(x)). This 
definition of abstraction corresponds to the usual sense of 
abstraction, but is applied here to the infinite state transition 
system associated with a continuous (hybrid) system. The 
problem of constructing discrete transition system abstrac- 
tions for continuous dynamical systems in the sense of Defi- 
nition 2 is considered next. The definition and the procedure 
for constructing an abstraction naturally extends to hybrid 
systems, see Hybrid Automata discussion that follows herein. 

Abstracting Continuous Dynamical Systems 

Data abstraction refers to the idea of using a partition of the 
domain of interpretation of a discrete system as the new 
domain of interpretation (in the abstracted system) for the 
state variables, or expressions over the state variables. The 
invention includes performing data abstraction on continuous 
and hybrid systems. Abstract variables are used that represent 
polynomials over the original continuous variables X and the 
abstract variables are interpreted over a three valued abstract 
domain {neg, pos, zero}. 
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Given a continuous dynamical system CS=(X, InitX, Inv, 
f), the invention constructs the abstract discrete state transi- 
tion system DS=(Q, InitQ, t) in two steps. The first phase 

creates a finite set P^R[Xj of polynomials over the continu- 
ous variables X which are used as the discrete variables Q. In 
the second phase, the initial states InitQ and the transition 
relation t are computed. 

Phase I: Obtaining a Set of Polynomials 

Fixing the set P of polynomials for abstraction involves 
starting with a small set P 0 of polynomials of interest (the 
“seed forms”) and adding to this set the time derivatives of 
polynomials in P 0 . The initial set P 0 could contain, for 
example, the polynomials that appear in the statement of the 
property of interest one wants to establish for the given con- 
tinuous system, or the polynomials that occur in the guards of 
mode change transitions. The phase I saturation process 
involves application of the following inference rule: if p€P, 
then add p, the derivative (with respect to time) of p, to the set ^ 
P unless p is a constant or a constant factor multiple of some 
existing polynomial in P. 

The linear polynomials whose coefficients form a left eigen- 
vector of the A matrix of linear systems should be preferably 
chosen as seed polynomials for hybrid systems with linear 25 
dynamics. In the case of nonlinear systems, suitable seed 
polynomials are generated using techniques from algebraic 
geometry. Lyapunov functions are also good choices of seed 
polynomials. 

Because it is assumed that fe(R[X]) IAn , it follows that 

pe R[X] is a polynomial. However, note that for general flow 
derivatives f, specified using arbitrary polynomial expres- 
sions, the saturation process might not terminate. But there 
are special cases where this process is guaranteed to termi- 35 
nate. 

Nilpotent Systems. Consider the class of linear time invari- 
ant systems specified using a nilpotent matrix A. If X is also 
used to denote the column vector of state variables X then the 
flow rate f=AX and hence, X=AX A polynomial p=2 z ax z can 40 
be written, in matrix notation, as a r X, where a r denotes the 
transpose of a. Thus, p=a r X=a r AX and p=a r A 2 X. Hence, if 
A M =0, then the n-th derivative of the polynomial p is a r A”x=0. 
Thus, the saturation process is guaranteed to terminate for 
such systems. 45 

Systems such that A"=rA m . If the matrix A used to specify 
the flow of the continuous dynamical system CS is such that 

A"=rA m for some constant r€ R and n, meN. then again, the 
saturation process can be shown to terminate. In particular, if 50 
p=a r X is an arbitrary polynomial, then 


dr n 


= ci T A n X = a r rA m X 



55 


current set P to the second phase. A larger set P yields a finer 
abstraction as it results in a larger state space in the final 
abstract system. 


EXAMPLE 2 

Consider the “off’ mode of the actuator in Example 1 . 
Starting with the set P 0 ={V, 1} of polynomials, the phase I 
saturation procedure first adds the polynomial 1=2000/15 
(5V-16I) and then the derivative of this polynomial I=2000 2 / 
15(-16V/3+77I/5). Because the derivative V is a constant 
multiple of the polynomial IeP, it is not added. Note that the 
exact derivatives do not need to be added, but only a polyno- 
mial up to some constant factor. Although the process of 
adding derivatives can be continued, this example stops the 
phase I here with the final set P={V, I, 5V-1 61, -80V+23 11} . 

Phase II: Constructing the Abstract Transitions 

Let CS=(X, InitX, Inv, f) be a continuous system and 

P^R[X] be a finite set of polynomials over the set X of 
variables produced by the first phase. The state variables Q in 
the corresponding abstract discrete system DS=(Q, InitQ, t) 
contains exactly one new variable for each polynomial p€P. 
Thus, Q={q p : p€P}. These new variables are interpreted over 
the domain {pos, neg, zero} and consequently the set Q of all 
discrete states is the set {pos, neg, zero} 0 of all valuations of 
the variables Q over this domain. Any such valuation is rep- 
resented by the corresponding conjunction of atomic formu- 
las. For example, the valuation (q^ F-»pos, q p2 F-»neg, 

q p3 F^zero ) will be thought of as the formula 
p 1 >0Ap 2 <0Ap 3 0. Such conjunctions and valuations are used 
here interchangeably. The set of all conjunctions representing 
such valuations will also be denoted by Q. Note that these 
conjunctions are in the set WFF(X) of formulas over free 
variables X. 

If ipeQ is a state in the abstract system DS, represented, for 
example, as 


A/ejiP; - > 0 A Aie j 2 pj - > 0 A A iej^pj — L 


then the concretization function, y, maps abstract states to sets 
of concrete states and is defined by 

Y(^) = {- xe ^ : ^b 3 i( ; ' : ) > 0V/e/ 1 and Rf^A)<0V*e/ 2 and 

R hp,-(x)=0Vze/ 3 

Here, the notation Rfp(x)>0 means that the polynomial p 
evaluates to a positive number on the point x€ R 1 ^. 

Conversely, if x€X is a concrete state of the system CS, then 
the abstraction function, abs, maps a concrete state to an 
abstract state and is defined by, 


Because the n-th derivative of p is a constant multiple of the 
m-th derivative of p, it does not get added to the set P of 
polynomials in the saturation process. The termination of the 
saturation process is determined by both the initial set P 0 of 
polynomials and the flow derivative f. 

General Case. The inventive abstraction technique works 
for general (possibly non-linear) time invariant systems 
whose flow is specified using polynomials. The termination 
of the saturation phase is not necessary for creating an 
abstraction. It is possible to stop at any point and pass on the 


abs(jv) = A p- > 0 a A p- = 0 a A p- < 0 

v ' /&U ieJ 3 

where J : U J 2 UJ 3 is a partition of the set { 1 ,2, . . . , IPI } such 
that i€J : iff Rhp f (x)>0, ieJ 2 iff Rhp z (x)=0, kJ 3 iff Rhp z (x)<0. 

The Initial States. Assume that the initial set of states InitX 
for the continuous system is specified using a first-order for- 
mula trover X. The initial set of states InitQ consists of all 
valuations ijj of the abstract variables such that the formulas ip 
and ty x are simultaneously satisfiable. 


60 
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Specifically, 

InitQ=V{^eQ: M ^X: i|> A|> x }. 

Lemma 1 . Let CS=(X, InitX, Inv, f) be a continuous system 
with the initial states InitX specified by the first-order formula 
§ x . If DS, InitQ, and abs are as defined as above, then, 
abs (InitX) -InitQ. 

A formula and the set of valuations it represents are used 
interchangeably as the context disambiguates the intended 
meaning. to 

The Transition Relation. An abstract transition (ip 1 ,xp 2 ) € t is 
added if all of the following conditions hold (for all polyno- 
mials p€P): 

(a) if p<0 is a conjunct in ip 1? then 

(al) if M[n|) 1 =>p<0, then p<0 is a conjunct in xp 2 ; 15 

(a2) if Mfnjq =>p=0, then p<0 is a conjunct in xp 2 ; 

(a3) if Mfnjq =^p>0, then either p<0 or p=0 is a conjunct in 
xp 2 ; and 

(a4) if the valuation of p cannot be deduced from xjq, then 2 q 
either p<0 or p=0 is a conjunct in xp 2 ; 

(b) if p=0 is a conjunct in xp l3 then 

(bl) if Mfnjq =>p<0, then p<0 is a conjunct inxp 2 ; 

(b2) if Mfnjq =>p=0, then p=0 is a conjunct in xp 2 ; 

(b3) if Mfnjq =>p>0, then p>0 is a conjunct in xJj 2 ; and 25 
(b4) if the valuation of p cannot be deduced from xp x then 
either p>0, p=0, or p<0 is a conjunct in xp 2 ; 

(c) if p>0 is a conjunct in then 

(cl) if Mfnjq — ^p<0, then either p>0 or p=0 is a conjunct in 

(c2) if Mfnjq =>p=0, then p<0 is a conjunct in xp 2 ; 

(c3) if M|=op ! =>p<0, then p>0 is a conjunct in xp 2 ; and 
(c4) if the valuation of p cannot be deduced from xjq, then 
either p>0 or p=0 is a conjunct in ip 2 . 35 

This completes the phase of adding transitions to the 
abstract system. Note that the sign of p can be directly read off 
from xp! if p was added to P in phase I. If not, then non- 
deterministic transitions from ip 1 are added assuming all pos- 
sibilities for the sign of p . In the final step, this abstract system 40 
is refined to eliminate unreachable states and transitions. 

Refining the Abstraction. Certain abstract states (and tran- 
sition to/from those states) can be deleted because either they 
are infeasible or are explicitly disallowed by the given invari- 
ant set Inv of the concrete system. In particular, if the invariant 45 
set Inv is specified using a first-order formula (p /wv , then one 

may delete all abstract states 4p such that M}3X: xp(X) Ap 7 „ v 
(X). One may also remove all transitions to/from these elimi- 
nated abstract states. Note that this process implicitly 
removes infeasible abstract states, that is, states ip(X) such 50 

that MJQX: ip(X). 

This completes the construction of the abstract system 
DS=(Q, InitQ, t) for the continuous dynamical system CS= 

(X, InitX, Inv, f). 55 

Theorem 1 . Let CS=(X InitX, Inv, f) be a continuous sys- 
tem and DS=(Q, InitQ, t), be the discrete abstraction as 
defined above. Then, DS is an abstraction (Definition 2) for 
CS. 

Even though the abstract transition system is a finite-state 
system, one need not explicitly represent the states and tran- 
sitions. The abstract system can be obtained implicitly with 
the states and transitions specified using predicate formulas. 

EXAMPLE 3 

65 

Following up on Example 2, the abstract transition system 
may be constructed on the set P={V, I, 5V-16I, -80V+231I} 
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of polynomials. Assume that the initial abstract state is 
I>0 aV>0a5V-16I<0a- 80V+231I>0. (The initial abstract 
state is obtained from the stable states in the abstract transi- 
tion system for the “on” mode of the actuator.) 

Of the 3 4 =81 abstract states, only 17 are feasible and the 
infeasible states can be identified using a theorem proven For 
example, the state I=0 aV>0a5V-16I<0 a- 80V+23I>0 is 
infeasible and a decision procedure for the reals can be used 
to deduce that this formula is unsatisfiable, and can therefore 
be removed as described earlier to refine the abstraction. 

The outgoing transitions from the initial state 
I>0 aV>0a5V-16I<0a- 80V+231I>0 are obtained as fol- 
lows: (a) since I>0 and I<0 (as 5V-16I<0), in the successor 
state either I>0 or 1=0, (b) since V>0 and V<0 (as — 1<0), in the 
successor state either V>0 or V=0, (c) since 5V-16I<0 
and5V-16l>0 (as -80V+231I>0), in the successor state 
either 5V-16I<0 or 5V-16I=0, and (d) since -80V+231I>0 
and -80V+231I is unknown, in the successor state either 
-80V+231I>0 or -80V+231I=0. Of the 16 potential succes- 
sors, only 4 are feasible: 

/> 0 A U>0 A 5 V- 1 6/< 0 A- 80 U+23 1/>0 q x : 

/> 0 A U=0 A 5 V- 1 61 <0 A- 80V+23 1/>0 q2 : 

/> 0 A F>0 a 5 V- 1 6 /< 0 A- 80 V+23 17=0 q 3 : 

/=0 Ap =0 A 5 V- 1 61=0 A- 80 V+23 17=0 q 4 : 

Continuing this way, the complete abstract system contain- 
ing ten reachable abstract states can be constructed. It can also 
be determined that among these states, only the state q 4 is 
stable. 

Hybrid Automata 

The technique for constructing finite state abstractions of 
continuous systems (as described above) extends naturally to 
hybrid systems. 

The abstract system corresponding to the hybrid system 
HS=(Q, X, Init, Inv, t, ,f) and a finite set P of polynomials 
(over X) is a discrete state transition system DS=(Q^, Init 4 , 
f 4 ), where Q 4= QU(Q / ,={q p : p€P}) is the set of discrete vari- 
ables, Init 4 SQ 4 is the initial states, and t 4 R^xQ 4 * s the set 
of transitions. The new discrete variables Q^ are interpreted 
over the domain {pos, neg, zero} as before. Thus, the set of 
states in the abstract system Q 4 is Qxjpos, neg, zero} e P 

Let q a =(q, ^) G Q 4 be a state in the abstract system, where 
qeQ is a discrete state of the hybrid automation HS and (p is a 
valuation of the variables in Q P over {pos, neg, zero}. As 
before, <|) is thought of as a formula in WFF(X). The transi- 
tions in the abstract system DS from the state q a are obtained 
as a union of two kinds of transitions: 

Abstractions of the discrete transitions: If (q, Cond, q')€t is 
a discrete transition of the hybrid automata HS, where q, q'eQ 
are discrete states and Cond <= X is a set of continuous states 
(or the guard) represented by, say, the predicate formula (p 
over the variables X, then there is an abstract transition ((q, 

«t>),(q',<|>))et* if mX: (<KX))aOHX)). 

Abstractions of the continuous transitions: The rule for 
constructing new abstract transitions from the continuous 
flows is the same as before. The first component of the state is 
left unchanged: a new abstract transition ((q, cj)),(q, if))) in t a is 
added if xp can be obtained from (|) using the rules given above 
(such rules being applied to the flow corresponding to the 
discrete state q). 

Cases may therefore be handled where the set Q of discrete 
states in HS is infinite provided that the number of distinct 
“modes” (each of which can be specified as a formula over Q) 
are finite. 
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Theorem 2. Let HS=(Q X Init, Inv, t, f) be a hybrid 

automata and P€ M[X] be a finite set of polynomials over the 
set X of real variables. If DS=(Q^=QUQp, Init", X a ) is the 
discrete transition system constructed by the above method, 
then DS is an abstraction for HS. 5 

The following illustrates the abstraction technique on a 
simple hybrid system example. 

EXAMPLE 4 

to 

Consider a thermostat that controls the heating of a room. 
Assume that the thermostat turns the heater on when the 
temperature x is between 68 and 70 and it turns the heater off 
when the temperature is between 80 and 82. Suppose the 
continuous dynamics in the on and off modes are specified 15 
respectively by the equations 

jv =_ x+100 and x=-x. 

Assuming that the heater is initially off and the room tem- 
perature is between 70 and 80, the hybrid automation is given 
by HS=(Q, X Init, Inv, t, f), where Q={q : } is the set of discrete 
variables, Q={on, off} is the set of discrete states (thus, q 1 

€{on, off}), X={x 1 } is the set of continuous variables, X= M is 
the set of continuous states, Init={(off,x): 70<x<80} is the 2 s 
initial condition, Inv={(on, x): x<82}A {(off, x): x> 68 } is the 
invariant set, t={(on, x, off): x>80}U {(off, x, on): x<70} is 
the set of discrete transitions, and f (on)=-x + 1 00 and 
f(off)=-x specifies the continuous flow rates. 

Now, the set of polynomials that appear in the guards are 30 
{x-70, x-80}, and polynomials in the invariant specification 
are {x- 68 , x-82}. The derivative of each of these four poly- 
nomials is x. In the mode when the heater is on, this evaluates 
to -x +100 and in the mode when the heater is off, this is -x. 
Hence, there are two more polynomials, {x, x- 1 00} , in the set 35 
P. Further saturation of the set P of these six polynomials 
under time derivative yields no new polynomials. 

Using the saturated set P of six polynomials, an abstraction 
for the thermostat hybrid model can be constructed and the 
final result is depicted in FIG. 2. In the figure, transitions 40 
arising from the continuous and discrete evolutions of H are 
depicted by dashed lines. Furthermore, the representation of 
abstract states has been simplified. For example, 
the expression 70<x<80 denotes the conjunction 
70<xax<80a68<ax<82a-x+100>0ax>0. This conjunction 45 
is logically equivalent to 70<xax<80. 

The SAL (Symbolic Analysis Laboratory) tool set provides 
interfaces that can be used to construct discrete abstractions 
of hybrid systems as described herein. Other tools known to 
tho se in the art may be used for testing, analysis and checking, 50 
and this discussion is exemplary, and not to be construed as a 
limiting. The quantifier elimination decision procedure for 
the real closed fields is implicitly used to decide the implica- 
tions over the real numbers. The tool QEPCAD [Quantifier 
Elimination in elementary algebra and geometry by Partial 55 
Cylindrical Algebraic Decomposition], which is built over 
the symbolic algebra library SACLIB, has been integrated to 
the theorem prover PVS for this purpose. 

The illustrative discrete abstractions constructed do not 
store information about the duration of a continuous run. 60 
However, HybridAbstraction extends, quite easily, to time 
variant systems by simply explicitly considering time as an 
other continuous variable. Some timing information can be 
included in the abstractions if polynomials containing this 
variable for time are included in the set P. 65 

Qualitative reasoning has been used for modeling and ana- 
lyzing physical systems in the face of incomplete knowledge 
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of the system dynamics. The idea is to interpret a continuous 
variable, say x, over an abstract domain of the form {(-oo 5 c 0 ), 
c 0 .(c 0 .Ci), <=!, (c 15 c 2 ), c 2 , . . . , c„, (c„, 00)}, where c 0 , c 15 . . . , 
c„ eM. are constants. Model construction involves keeping 
track of the sign of the derivative of x. HybridAbstraction 
substantially extends qualitative reasoning by allowing for 
arbitrary polynomials, and not just state variables, for defin- 
ing the qualitative state space. Additionally, HybridAbstrac- 
tion includes the use of signs of higher order derivatives in the 
procedure. The resulting abstractions have more information 
and are more useful, as they are more amenable to analysis. 

Moreover, although the examples of abstractions shown do 
not retain any timing information apart from the temporal 
ordering of abstract states, it is known that timing information 
can be introduced either by treating t as another state variable 
with time derivative equal to 1 , or by incorporating quantita- 
tive timing information in the process of constructing an 
abstraction. See O. Stursberg, et. al. Hybrid Systems IV, vol. 
1273 of LNCS, pages 361-377. Springer- Verlag, 1997. 

HybridAbstraction is amenable to mechanization. Hybrid- 
Abstraction has applications to test vector generation for 
hybrid systems that would cover all regions of the state space, 
where a region is defined as the sub space which is sign- 
invariant for a set of polynomials. The invention also provides 
integration with methods that employ additional quantitative 
information to create an abstraction. 

HybridAbstraction and Biological Systems 

Many databases, standard modeling languages, and tools 
are now becoming available for biological information hav- 
ing to do with network effects. In particular, the Biological 
Simulation Program for Intra-Cellular Evaluation (Bio- 
SPICE) is an open source development movement that is 
creating computational models, tools, and infrastructure to 
help deal with modeling and analysis of complex biological 
systems. 

However, despite the exponentially expanding oceans of 
biological data becoming available, to understand how cells 
compute and control themselves, accurate models that repre- 
sent the aspects salient to the questions of biologists are 
needed. Even relatively simple prokaryotic cells, not to men- 
tion more complex eukaryotic (e.g. human) cells, are so com- 
plex that the models must be aggressively abstracted to enable 
more complete, deep, and scalable analysis, and to present 
results to biological domain experts. 

The construction of mathematical models for biological 
processes is central to the science of bioinformatics and com- 
putational biology, but the inherent complexity of biological 
systems is daunting. Biological processes exhibit dynamics 
that range over a very wide time scale, contain stochastic 
components and sometimes discrete components as well. 
Sigmoidal nonlinearities are commonly observed in biologi- 
cal data correlation and a wide class of such functions is used 
in the resulting models. Biological processes operate at 
widely disparate different time and spatial scales, spanning 
twelve or more orders of magnitude (from single cell to entire 
organism). A complete model of a biological process is quite 
complex and poses a challenge for simulation and analysis. 

Genetic regulatory networks that work inside a cell form 
one class of biological system. Such networks are responsible 
for various kinds of cellular behaviors, for instance, record- 
ing, computing, and reacting to changes in the environment. 
Behavior is controlled through complex interaction between 
various protein concentrations that are regulated by transcrip- 
tion of various genes, and which, in turn, positively or nega- 
tively influence transcription of other genes, thus resulting in 
complex interwoven networks of control. At a much larger 
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scale, metabolism can be studied at the level of the whole 
human body. For example, glucose metabolism can be mod- 
eled to determine the blood glucose concentration in human 
tissues. In these cases, a phenomenological model is con- 
structed using tissue and organ level concentrations as basic 5 
state variables. 

Systems biology explores the quantitative study of biologi- 
cal processes as whole systems instead of isolated parts. 
Biological subsystems interact with one another to perform 
sophisticated biological functions, and a systems level view is to 
necessary to understand the complex dynamics that underlie 
physiology in normal and diseased states. Systems biology 
research has focused on quantitative stochastic or differential 
equation models of biological systems. 

Mathematical models of biological processes are often 15 
constructed by generating equations describing the physical 
laws that govern the system dynamics. The obtained model is 
tuned by determining free parameters and unknown rate con- 
stants using experimental data. However, this is not always 
possible, as quantitative experimental data is plagued with 20 
high levels of noise, and precise rates of reactions are for the 
most part unknown to science. Even when some rate con- 
stants have been inferred using algorithms for determining 
minimal error curve fits for available data points, the resulting 
model is just a “representative” that best matches all the 25 
available data. 

The actual value of the parameter or rate constant is pos- 
sibly stochastic in a given range, so there is a danger of 
overfitting quantitative models to the data, resulting in inac- 
curate predictions that are highly sensitive to small perturba- 30 
tions in input data. Moreover, the number of different state 
variables can grow quite large. Too many variables represent- 
ing different molecular species involved in various compart- 
ments can adversely affect the ability to subsequently simu- 
late and analyze the model. 35 

To further complicate matters, assumptions about homo- 
geneity and the presence of large number of molecules often 
break down at the cellular and cellular compartment levels. 
This means that mathematical models based on such assump- 
tions cannot be expected to be accurate. 40 

An alternative approach is to seek completely qualitative, 
rather than quantitative models of biological systems. Some 
examples of this approach include the high-quality curation 
and analysis of qualitative metabolic pathway information, 
symbolic analysis including term rewriting and model check- 45 
ing of curated pathway models, and other logical modeling 
approaches. However, the focus needn’t be on completely 
logical or symbolic mathematical modeling of biological sys- 
tems. Hybrid systems may be used as an underlying formal- 
ism for modeling and analyzing biological systems. The 50 
qualitative or hybrid qualitative-quantitative modeling and 
analysis of biological systems is referred to as Symbolic 
Systems Biology. 

Biological Hybrid Systems 

Hybrid systems, as described earlier, are mathematical 
models obtained by formally combining continuous dynami- 
cal systems with discrete transition systems. 

Continuous Dynamics 

In a hybrid system, the continuous dynamics of time vary- 60 
ing variables are given using differential equations. In models 
from biology, the differential equations specify how the con- 
centrations of various molecular species evolve over time. 
These differential equations are obtained using standard 
physical laws, such as the law of mass action and the law of 65 
mass conservation once the gene states are fixed by the dis- 
crete logic. 


For example, consider the case when a species X reacts 
(reversibly) with another species Y to form a complex XY. 
Schematically, this is represented by 


X + Y = XY 

A_l 


where k l and k_ x are the reaction rates for the forward and 
backward reactions respectively, and the arrow notation = is 
intended to mean reversible reactions. 

If x,y, and z denote the concentrations of X, Y, and XY 
respectively, then using the law of mass action, which states 
that the rate of a reaction is proportional to the products of the 
concentrations of the reactants, a system of three differential 
equations is described: 

x=-k 1 xy+k_ i z 


^-k^xy+k^z 


z=-k i xy-k_ ] z 

If a species, say X, participates in more than one reaction, 
say 


X + Yi = XYi for /'= 1, 

k-s J 


then its rate equation is obtained by collecting terms from 
each reaction in which it participates. Adding a source and a 
sink term, this becomes 


l l Equation 1 

* = ^ b] l Zj - ^ kjyjx + r src - r sink , 
j = l 7=1 


where Zj represents the concentration of the complex XY y , r src 
is the rate of production of X, and r sink is the rate of utilization 
of X (independent of the reactions that have been accounted 
for explicitly). For example, if X were a protein, then the 
effect of the production of X by transcription would contrib- 
ute a source term and its decay by proteolysis would contrib- 
ute a sink term. 

In the example of modeling the blood glucose in human, 
consider a typical physiologic compartment shown in FIG. 4. 
The mass balances for this compartment can be written as 


VbCbo = Qb(C b > - Cb 0 ) + PA(C/ - C Bo ) -r RBC 


V,C, = PA(C Bo -C,)-r T 


where V B is the capillary blood volume, V 7 is the interstitial 
fluid volume, Qg is the volumetric blood flow rate, PA is the 
permeability-area product, C Bi is the arterial blood solute 
concentration, C Bo is the capillary (and venous) blood solute 
concentration, C 7 is the interstitial fluid solute concentration, 
r RBC is the rate of red blood cell uptake of solute, and r r is the 
tissue cellular removal of solute through cell membrane. In 
the first equation above, the first term on the right-hand side is 
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the effect of convection, the second term corresponds to dif- 
fusion, and the last one is the metabolic sink. 

Discrete Component 

Mathematical models developed by biologists are often 
continuous dynamical systems, as exemplified by much of the 
work in systems biology. 

It is useful to consider hybrid discrete-continuous models 
to enable more complete, deep, and scalable analysis. Hybrid 
modeling and analysis can provide great leverage in the realm 
of complex biological processes, and can also provide 
abstractions useful in presenting results to human users. The 
discrete dynamics can arise in many different ways and a 
discussion of some of them follows. 

The purely continuous models of biological systems can be 
too large and complex to be maximally useful for simulation 
and analysis. On the other hand, a fully discrete approxima- 
tion of the model can sometimes lose crucial and pertinent 
information. Hybrid systems provide a rigorous foundation 
for modeling biological systems at desired levels of abstrac- 
tion, approximation, and simplification. For example, sys- 
tems that exhibit multiscale dynamics can be simplified by 
replacing certain slowly changing variables by their piece- 
wise constant approximation. This is particularly useful when 
the property of interest is defined on a small time scale. 
Additionally, sigmoidal nonlinearities are commonly 
observed in biological data correlation and the corresponding 
models often use (continuous) sigmoidal functions. These 
can also be approximated by discrete transitions between 
piecewise-linear regions. FIG. 5 shows a generic plot of data 
points and the corresponding sigmoidal curve (solid line) 
generated by tuning parametric sigmoidal curves. The solid 
curve is chosen to best match the available data, and the heavy 
dashed line is a piecewise-linear approximation of the data 
points. The light dotted lines represent nondeterministic 
bounds on behavior. In some instances, nondeterministic 
upper and lower bounds are more useful than deterministic 
approximations, because they capture all the behaviors of the 
system. 

For example, gene transcription and translation lead to 
production of proteins in cells. The rate of transcription of the 
corresponding gene determines the source term in Equation 1 
the differential equation for concentration of that protein. 
This term is, in general, a function of the concentrations of 
several other molecules that affect the transcription of the 
relevant gene. This influence of concentrations of proteins 
and sigma factors on transcription is conventionally modeled 
using nonlinear continuous functions. This function is usually 
a steep sigmoidal curve, which is described using higher- 
order polynomial expressions or hyperbolic trigonometric 
functions. Sigmoidal nonlinearities are also observed in many 
other biological data. For instance, in the case of glucose 
metabolism in human body, the normalized rate of peripheral 
glucose uptake (a sink term) is such a nonlinear function of 
the normalized peripheral interstitial insulin concentration. 

The use of sigmoidal functions in biological models can be 
replaced by piecewise constant or piecewise linear approxi- 
mations as shown by the dashed line in FIG. 5, resulting in a 
hybrid model with a discrete mode change logic. Such effects 
are captured via discrete mode changes. A very steep sigmoi- 
dal curve can be approximated by a step function. In the gene 
regulation example, this corresponds to assuming that a par- 
ticular gene can be in one of two states: “on” or “off’. A 
discrete transition describes how the various regulators com- 
bine to choose one of these two states. In completely quali- 
tative modeling, one can represent such states with Boolean 
variables. More refined but still discrete, stepwise models can 
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result from distinguishing more than two states for genes. For 
example, “off’, “low”, “medium” and “high”. More compli- 
cated discrete logic would then describe the process of choos- 
ing between these four possible modes. More accurate 
5 approximations for sigmoidal curves are obtained by piece- 
wise linear approximations. These transitions form the dis- 
crete component of the hybrid model. 

A second source of discrete behavior in models of biologi- 
cal systems is the presence of an inherently discrete process. 
10 The physical laws which yield differential equation (continu- 
ous) models are applicable only under certain assumptions. 
For example, the law of mass action holds only when there are 
large number of molecules which are homogeneously mixed. 
Certain molecular species are present in plenty and the law 
15 of mass action, which states that the rate of a reaction is 
proportional to the products of the concentrations of the reac- 
tants, can be used to describe their evolution using a differ- 
ential equation. But these assumptions may not be true 
always. Inside a cell, there are dynamics that are governed by 
20 the action of only a few molecules. Ignoring the stochastic 
aspect temporarily, chemical dynamics at small numbers are 
best modeled using discrete transitions, cf. the Master equa- 
tion. This again results in hybrid models of biological pro- 
cesses. 

25 Discrete mode changes can also result from the modeling 
of faulty modes. In the case of glucose metabolism, the kid- 
ney does not excrete any glucose in normal conditions, but it 
starts excreting glucose if the level of glucose rises very high. 
This effect can be captured using a discrete transition. 

3 ° 

Nondeterminism and Analysis of Safety Properties 
Uncertainties and stochastic behavior are common in biol- 
ogy. Rate constants and several other parameters in models of 
biological systems are determined using algorithms for deter- 
35 mining minimal error curve fits for available data points. For 
example, the rate constants k 7 and k, in Equation 1 and the 
source and sink terms in that equation are determined in this 
way. The sigmoidal curve of FIG. 5 is obtained this way from 
the given data points. 

40 Parameter values thus obtained are “representative” val- 
ues, they do not capture all observed behaviors. The actual 
value of the parameter is possibly stochastic in a given range. 
In many cases, the interest is in knowing about all possible 
behaviors of the system, rather than the behavior of the sys- 
45 tern assuming a representative value for the parameters. For 
example, when studying the effect of insulin injections on 
blood glucose concentrations, all possible blood glucose con- 
centrations that a human body may exhibit are of interest. In 
such cases uncertainties can be modeled using nondetermin- 
50 ism and the resulting model can be analyzed for all possible 
behaviors. In FIG. 5 the given data points lie between the two 
piecewise-linear curves shown by dotted lines. The nondeter- 
ministic hybrid system resulting from using the two dotted 
lines as the approximation captures all the observed behaviors 
55 of the system (and possibly more). 

Unknown rate constants can be modeled using unspecified 
symbolic constants, called parameters, in a hybrid formalism. 
The rates of reactions and other such unknown constants can 
be modeled as parameters. Numeric values for such param- 
60 eters are not required for subsequent analysis. However, to 
generate nontrivial models that exhibit interesting behaviors, 
these parameters need to be constrained to take only certain 
values. Such constraints can be specified in the model using 
inequalities over expressions containing these parameters. 
65 This gives rise to a highly nondeterministic model, that is, the 
model can exhibit several different behaviors — one corre- 
sponding to every exact numerical instantiation for the 
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parameters that is consistent with the constraints. Although 
this process of nondeterministic modeling does not accu- 
rately capture the stochastic nature of biological processes 
that arises due to random fluctuations on the small numbers of 
molecules involved, the analysis approach reintroduces some 5 
noise by assuming that the unknown parameters are allowed 
to change randomly (while still remaining consistent with the 
constraints) finitely many times. To the extent information 
about exact probabilities remains missing from the non-de- 
terministic model, results of analysis can sometimes be to 
coarse. 

Composition 

Compositionality is an important feature required to model 
and analyze large models of any system. Larger systems are 
described by putting together smaller networks and compo- 
nent subsystems. Compositional modules are subsystems of a 
larger system that exhibit identifiable interfaces, are modifi- 
able independently, and enable abstract modeling. Modular- 
ity is one of the crucial aspects of designing (and describing) ^ 
large systems, including computer software and hardware 
systems. It permits clean and scalable description, and also 
helps appropriately designed tools in performing simulation 
and analysis on the models. 

It is increasingly apparent that biological systems exhibit 
certain kinds of clean modularity. Biological examples of 
modular construction include the universal genetic code, 
translation into amino acid sequences, protein domains, 
operon structure, bilipid layer membranes, organelles, 
organs, communities of organisms, and signaling and meta- 
bolic pathways. Cells contain many different regulatory path- 
ways, or networks of interacting proteins or other molecules, 
in several physical compartments, which interact with each 
other at certain well-defined points. That is, pathways have 
been identified that have identifiable interfaces with other ^ . 
pathways, appear to be modifiable independently, and enable 
abstract modeling. The complete behavior of some aspect of 
a cell can thus be described by putting together all the various 
models for the individual pathways and sharing the informa- 
tion on molecular species that are shared by two or more such 
subsystems. 

HybridSAL 

One approach to modeling is HybridSAL — a system for 
hybrid system modeling and analysis, embodying the present 
invention; other approaches known to those of skill in the 45 
related arts are also amenable for use in the inventive 
approach. Models of hybrid systems can be written in the 
HybridSAL language. These models can then be analyzed for 
safety properties, that is, properties regarding all possible 
behaviors of the system. The analysis is done using an 50 
abstraction and model checking framework. This tool has 
been used on examples from a diverse range of application 
areas such as automobile transmissions, cruise control algo- 
rithms, collision avoidance, and genetic and biochemical net- 
works. 55 

HybridSAL can be used to compositionally build paramet- 
ric hybrid models of biological processes. Three important 
features that enable effective modeling and analysis of regu- 
latory pathways are the use of 

(i) discrete transitions to model activation and inhibition of 60 
transcription, 

(ii) parameters to specify unknown reaction rates in the 

model, with support for specifying constraints on these 
parameters to capture whatever information is available 
about the values of these parameters, and 65 

(iii) composition to build larger models from component 
models. 
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Features such as these distinguish the inventive modeling 
approach from other currently available approaches. 

An automatic tool for simplifying models based on the 
interest of the biologist renders the model amenable to the 
HybridSal tool. Complex multiscale and stochastic models of 
biological processes can be simplified to create smaller 
hybrid models. This process can be guided by the user. There 
are several different options for user input. The user can 
specify the environment and the parts of the model that are 
irrelevant under the given environment can be sliced. Alter- 
natively, the user can specify the time scale of interest and the 
dynamics that happen either at very small or very large time 
scales (compared to what the user has specified) can be 
replaced by algebraic equations or discrete transitions. As 
another option, the user can specify the components (com- 
partments) into which the model should be decomposed. The 
HybridSAL tool can then work on the model thus created by 
the model simplifier. 

Analysis 

A modeling formalism is only as useful as the analysis 
tools that support it. The parametric hybrid modeling formal- 
ism enables the development of a variety of analysis tools. 
Combining discrete and continuous modeling techniques 
results in simpler and more compo sable models. Composi- 
tionality allows for the development of scalable tools. Para- 
metric modeling languages permit the use of tools for model 
refinement. 

Provided are analysis techniques for: 

(a) automatically creating sound approximations of the 
model that are smaller and simpler, thus amenable to 
more intensive (computationally complex) analysis, 

(b) proving properties, such as stability, for the models, 

(c) generating potentially interesting behaviors of the 
model, and 

(d) generating constraints on the unknown parameters 
automatically so that the constrained model exhibits a 
certain behavior. 

Tools for model refinement, simplification, and simulation, 
along with improved methods of presenting abstract models 
and the results of hybrid analysis to biological domain experts 
are provided. 

The process of creating sound abstractions is based on 
combining qualitative techniques with predicate abstraction. 
It is powered by powerful symbolic reasoning engines. The 
simplified model generated is a discrete finite- state transition 
system. It is an abstraction, in a very precise and rigorous 
sense, of the original model. The abstraction technique can be 
further optimized for linear and nonlinear systems. The sec- 
ond step of exploration on this finite-state system is carried 
out using model-checking. 

The kinds of analysis perfoimable on hybrid models of 
regulatory networks is of interest. Such models are almost 
always incomplete and under specified. Hence, the analysis 
process is not a single step activity, but involves interleaved 
steps of a) model reduction, b) model analysis, and c) model 
refinement. 

Model reduction is the process of simplifying the model 
based on experimental or domain knowledge, or based on 
relevance to the particular observation of interest. If interest is 
in a particular behavior of the organism, then the parts of the 
model that do not directly influence this behavior can be 
removed and the resulting simpler model can be used for 
analysis. This process of model reduction can be done by the 
user, or by specialized automated tools. 

Model analysis consists of analyzing the model for exhi- 
bition of given properties. This is presently done in two steps. 
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In the first step, a qualitative model is automatically extracted 
from the given parametric hybrid system model. In the second 
step, the extracted model is analyzed for the properties of 
interest. The qualitative model is an abstraction, in a very 
precise formal sense, of the original model. Formally, it is a 
discrete finite-state transition system. The second step of 
exploration on this finite-state system is carried out using 
model -checking . 

Model refinement involves concretizing or constraining 
some of the unspecified parameters. This step is guided in two 
ways: using the results of the model analysis phase, or using 
some experimentally observed behavior. In the first case, the 
model is refined so that the unexpected results returned by the 
model analysis phase are fixed. 

In the second case, given an observed behavior, the param- 
eters of the model are constrained so that the observed behav- 
ior becomes a valid behavior of the model and unobserved 
behaviors are eliminated. One approach for model refinement 
based on the second approach is described. The well-known 
approach of counter-example guided abstraction refinement 
can be used in the first case. 

EXAMPLES 

Aspects of hybrid modeling and analysis as applied to three 
specific biological examples are presented. Many other 
examples will occur to those of skill in the art, and these three 
are intended as illustrative applications of the inventive 
method 

A. Glucose Metabolism in Humans 

The human glucose-insulin system and the model of this 
system proposed by Guyton et al. and Sorensen is used as an 
illustrative example. This model has been used to design a 
model -based predictive control algorithm to maintain nor- 
moglycemia, via a closed-loop insulin infusion pump, in the 
Type I diabetic patient. A formal correctness analysis of any 
such control algorithm can be established by showing that 
blood glucose level remains between 70 and 100 mg/dl 
always. For “representative” parameter values, this can per- 
haps be shown using simulations, but that analysis would 
never yield real guarantees, since parameter values vary over 
ranges across different individuals. Thus, higher assurance of 
bounds on behavior requires analysis over all behaviors of the 
corresponding nondetermini stic model. Complete explora- 
tion of all behaviors of an abstracted system provides valu- 
able insight beyond the partial exploration of some behaviors 
(eg. forward simulation) of a more concrete system model. 

The final glucose metabolism model consists of twenty- 
two simultaneous nonlinear ordinary differential equations. It 
is obtained by dividing the human body into six physiologic 
compartments: brain, heart and lungs, periphery, gut, liver, 
and kidney. There is a state variable for the glucose and 
insulin concentration in each of these six compartments. 
Wherever necessary, these compartments are subdivided into 
interstitial fluid space and vascular blood space. This model is 
decomposed into three components in HybridSal, describing 
glucose metabolism, insulin metabolism, and glucagon 
metabolism respectively. Additionally, all nonlinearities in 
the model arise from sigmoidal fiinctions, which can be elimi- 
nated in favor of piecewise linear approximations to yield a 
hybrid system with linear continuous dynamics. Further sim- 
plifications are possible by noticing that the change in gluca- 
gon concentrations is very minimal and slow compared to 
other state variables. The insulin concentrations act as inputs 
to the glucose module and consequently the insulin concen- 
trations stabilize first, followed by the glucose concentration 
stabilizing. 
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There are two sources of insulin in the insulin metabolism 
model: pancreatic insulin release and insulin injections. If 
these inputs are set to zero (say, to model a diabetic patient), 
then the insulin model stabilizes at zero because there is no 
5 other source of insulin in the model. 

If it is assumed that the inputs to the insulin module change 
very slowly compared to the dynamics of insulin concentra- 
tion, then the system can be analyzed assuming constant 
inputs. The resulting insulin model is a linear system with one 
to complex eigenvalue with negative real part, and all other 
eigenvalues are real and negative. This indicates that the 
system is stable, though it could exhibit some damped oscil- 
lation. Using the results to compute approximate reachability 
sets of linear systems, it is easy to compute over-approxima- 
15 tions of reach sets for this system. The reach sets enable 
computation of a bound on the insulin concentrations. The 
glucose metabolism module reduces to a linear system if the 
insulin inputs are fixed to their lower or upper bounds. The 
resulting linear system also has one complex and seven nega- 
20 five real eigenvalues. Again using techniques for the approxi- 
mate reachability of linear systems, it is possible to compute 
approximate reach sets that bound the modeled behavior of 
glucose concentrations. Note that because of the construction 
of the abstractions and approximations, the bounds thus 
25 obtained are conservative and robust to small changes in 
parameter values. 

B. Subtilis Sporulation Initiation 

The bacteria Bacillus subtilis initiates spore formation 
when there is a nutrient deficiency and the environment is not 
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conducive to growth. The cellular commitment to sporulate is 
regulated by the complex network of transcriptional control 
of various genes and interactions between various proteins. 
Based on the data provided, a model of the sporulation ini- 
35 tiation network of B. Subtilis was constructed. The HybridSal 
model consists of six components. The phosphorelay chain is 
described in one of the important components. The effect of 
promoters and inhibitors on gene regulation was captured via 
discrete transitions. Unknown rate constants were modeled 
using parameters. The parameters were constrained by 
inequalities. In some cases, the constraints were generated 
using a tool for doing quantifier-elimination over the theory 
of reals, called QEPCAD. As noted above, the constrained 
model is highly nondetennini stic and captures a whole spec- 
trum of behaviors. 

45 

The constrained parametric hybrid model of the sporula- 
tion initiation network was analyzed using Hybrid Abstrac- 
tion and model checking for stability properties. The stability 
properties of the resulting hybrid model were observed to be 
highly sensitive to the discrete logic modeling gene regula- 
tion. The HybridAbstraction approach is partly based on 
qualitative methods. The analysis of the system using these 
techniques partially accounts for some stochastic behaviors 
where the unknown parameters are allowed to fluctuate 
finitely many times to values consistent with the constraints. 
This results in several unexpected and interesting behaviors 
of the sporulation model. 

C. Delta Notch Lateral Inhibition Mechanism 

Inhibitory lateral signaling between adjacent cells (Delta 

60 Notch lateral inhibition) is one of the central processes 
responsible for cell differentiation in a cluster of identical 
cells. HybridAbstraction was applied to model Delta-Notch 
inhibition; the basic modeling unit a hybrid automata and 
more complex models were built using compositions over 
65 hybrid automata. Analysis of the model resulting by creation 
of a finite state discrete abstraction transition system and 
model checking the abstraction against the property of inter- 
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est. The completely automated abstraction technique 
employed suitable decision procedures andtheorem-provers. 
FIG. 3 depicts the abstract SAL transition corresponding to 
the continuous dynamics in the mode delta=false, 
notch=false of the Delta-Notch one cell model. A two cell 5 
complex may be created by composing two single cells. 
Because the SAL modeling language name variables occur in 
two instances of the one cell model, some renaming of vari- 
ables not local to the module is necessary to avoid conflicts. 
Similarly, communication between the two cells is captured 10 
by renaming variables by the same name. 


twocells: MODULE 
LOCAL vdl, vd2 IN 

( (RENAME g4 TO vd2, g5 TO vdl IN cell) 
[] 

(OUTPUT delta2, notch 2 IN 

(RENAME g4 TO vdl , g5 TO vd2, 
delta TO delta2 
notch TO notch2 IN cell ))); 


The composition operator [ ], is used to construct the mod- 
ule “twocells” using two instances of the module “cell.” Con- 
necting the output variable g5 of one cell to the input variable 25 
g4 of another cell is done by renaming them to the same name. 
The variables delta2 and notch2 describe the mode of the 
second cell. 

The module “twocells” can be model-checked against the 
stability properties as in the one cell model. The properties of 3Q 
the two cell model are verified as follows: 


stability4: THEOREM 

twocells I - 35 

G ( (delta AND notch - FALSE AND 
delta2 - FALSE AND notch2) - 
G(delta AND notch - FALSE AND 
delta2 - FALSE AND notch2)) ; 
stability5 : THEOREM 

twocells I - 4Q 

G (( delta - FALSE AND notch AND 
delta2 AND notch2 - FALSE) - 
G(delta - FALSE AND notch AND 
delta2 AND notch2 - FALSE) ) ; 


This shows that the states where one cell has high Delta and 45 
low Notch concentration, while the other has low Delta and 
high Notch concentration are stable states for a two cell 
complex. The other states are shown to be unstable, as model - 
checking the corresponding properties yields a counter-ex- 
ample. However, the property that the two cell system even- 50 
tually reaches one of the equilibrium states does not hold true, 
and the model-checker produces a counter-example. 

The counter example reveals that the property falsifying 
trajectory corresponds to an oscillatory behavior of the sys- 
tem. The abstract transition system can be interpreted as 55 
exhibiting the sum total of all behaviors of specific concrete 
realizations of the original system (using specific initializa- 
tion values and parameter values consistent with the assump- 
tions made during construction of the abstraction). The com- 
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putational time in creating the abstract and the model 
checking time was several seconds real clock time. 

Symbolic Systems Biology promotes the construction and 
experimental validation of models and analyses that explain 
and predict the behavior of biological systems. Symbolic 
Systems Biology is characterized by a synergistic integration 
of theory, computation, and experiment. 

Only through such an interdisciplinary approach can a 
scalable, rigorous, and systematic understanding of complex 
biological processes be achieved. Hybrid discrete-continuous 
formalisms can be used to provide access to computational 
analysis enabling accurate modeling of some of the dynamics 
of biological systems. Together with increasing access to 
biological network information (through exponentially grow- 
ing databases and BioSPICE and related tool platforms) and 
qualitative modeling and analysis techniques, hybrid model- 
ing and analysis of the computation and control of cells, 
tissues, and organisms may enable Symbolic Systems Biol- 
ogy to be useful to biologists. HybridAbstraction is integral to 
hybrid modeling and analysis in complex biological systems. 

What is claimed is: 

1. A computer implemented method for determining the 
validity of a property of interest with respect to a hybrid 
system, wherein at least one of the property of interest and a 
guard of a mode change transition of the hybrid system com- 
prise at least one polynomial, said method comprising the 
steps of: 

a) abstracting the hybrid system to create an abstract dis- 
crete system, wherein abstracting comprises construct- 
ing an abstract discrete system over a set of abstract 
states defined by the positive, negative, and zero valua- 
tion of a saturated set of polynomials constructed by 
saturating an initial set of polynomials selected from the 
polynomials contained in one or both of the property of 
interest and the guards of the mode change transitions of 
the hybrid system, wherein saturating comprises repeat- 
edly choosing a polynomial from the selected set of 
polynomials and adding a time derivative of the chosen 
polynomial to the set unless the time derivative is a 
constant or a constant multiple of a polynomial already 
in the set; 

b) analyzing, using the computer, the validity of the prop- 
erty of interest with respect to the abstract discrete sys- 
tem; and 

c) outputting the validity of the property of interest on the 
computer display. 

2. The method of claim 1, further comprising: 

d) where the property of interest is invalid with respect to 
the abstract discrete system, creating a finer abstraction 
of the hybrid system and analyzing the property of inter- 
est with respect to the finer abstraction. 

3 . The method of claim 1, wherein analyzing the validity of 
the property of interest is performed by model checking. 

4 . The method of claim 1 , wherein the hybrid system is a 
model of a biological system. 

5 . The method of claim 1 , wherein the hybrid system is a 
model of a biological organism. 



